|
Security Industry Waits to See The Impact on
Their Jobs
As Ex-Uber CSO Heads to Trial, the Security Community Reels
Joe Sullivan, Uber’s former chief of security, faces criminal charges for his
handling of a 2016 security breach. His trial this week has divided the security
industry.
 Joe
Sullivan was a rock star in the information security world.
One of the first federal prosecutors to work on cybercrime cases in the late
1990s, he jumped into the corporate security world in 2002, eventually taking on
high-profile roles as chief of security at Facebook and Uber.
“Everyone knew him; I was in awe, frankly,” said Renee Guttmann, who was the
CISO for Coca-Cola and Campbell Soup. “He
was an industry leader.”
So it came as a shock to many in the community when Mr. Sullivan was fired by
Uber in 2017, accused of mishandling a security incident the year before.
Despite the scandal, Mr. Sullivan got a new job as chief of security at
Cloudflare, an internet infrastructure company, which he left in July to focus
on the trial.
&uuid=(email)) But
the investigation into the incident at Uber continued, and in 2020, the same
prosecutor’s office where Mr. Sullivan had worked decades earlier
charged him with two felonies,
in what is believed to be the first time a company executive has faced potential
criminal liability for an alleged data breach. Mr. Sullivan has pleaded not
guilty to the charges.
Other chief security
officers are following the case closely, worried about what it means for them.
“A lot of sitting chief information security officers are going to their bosses
and asking if they have D.&O. insurance and, if not, can I have it?”
After being charged, Mr. Sullivan
sued Uber to force
it to pay his legal fees in the criminal case, and they reached a private
settlement.
Some security officers are sympathetic to how Mr. Sullivan handled the security
incident at the center of the criminal case, while others say it was clearly
inappropriate. In 2016, according to a
criminal complaint
Mr. Sullivan learned that hackers had secured access to the personal data of
about 600,000 Uber drivers and some personal information associated with 57
million riders and drivers. Prosecutors accuse Mr. Sullivan of directing those
responsible
to the company’s bug bounty program,
which Uber, like many companies, had set up as a financial incentive for third
parties to report its security vulnerabilities.
Uber ultimately paid the hackers, two men in their 20s, $100,000 in Bitcoin and
had them sign nondisclosure agreements, according to the criminal complaint.
Uber did not disclose the incident to the public, nor did it inform the Federal
Trade Commission, which was investigating the company for its privacy and
security practices.
A member of Uber’s security team around that time, who spoke on the condition of
anonymity, said he hadn’t been surprised when he heard about Mr. Sullivan’s
indictment, given the aggressive, do-what-it-takes culture he experienced at the
company.
Prosecutors have accused Mr. Sullivan of
obstructing justice and
concealing a felony for not disclosing the breach or revealing it to the F.T.C.
Mr. Sullivan’s spokesman said he could not discuss the case given the upcoming
trial. Uber declined to comment.
nytimes.com
Here's the Daily's previous coverage on the
Uber case:
August 4, 2022:
Fraud charges in hacking case against Uber ex-security
chief are dismissed
July 26, 2022:
Uber admits massive 2016 data breach coverup, cooperates
with feds
April 28, 2022:
Former Uber Chief Security Officer To Face Wire Fraud
Charges
August 24, 2020:
Watch: Former Uber CSO Charged With Covering Up 2016 Data
Breach
August 21, 2020:
Former Chief Security Officer For Uber Charged With
Obstruction Of Justice
September 27, 2018:
Uber Fined $148 Million for Breach Cover-Up
February 7, 2018:
Uber Paid Hackers $100K to Destroy Stolen Data on 57M
people, Keep Quiet
December 1, 2017:
Three Uber security managers resign after CEO criticizes
practices
|
&uuid=(email))
&uuid=(email))
